Australian Privacy Act
The Privacy Act promotes and protects the privacy of individuals in Australia. It regulates the handling of personal information by organizations in the federal public sector and in the private sector.
Definition and purpose
The Privacy Act provides 13 Australian Privacy Principles (APPs). APPs set out standards for the collection, use, disclosure, quality and security of personal information as well as obligations for agencies and organizations concerning access to, and correction of, an individual's own personal information.
These are designed to protect individuals’ privacy rights without burdening agencies and organizations with inflexible and overly prescriptive rules. Called principles-based law, APPs enable an organization or agency to tailor their personal information handling practices to their business models and the diverse needs of individuals.
The Office of the Australian Information Commissioner (OAIC) is the regulatory authority responsible for overseeing and enforcing compliance with the Privacy Act. The OAIC educates organizations and individuals about privacy rights, investigates acts or practices that may interfere with the privacy of an individual or a breach of APP1, and conducts assessments of privacy performances for both Australian Government agencies and businesses.
First introduced in 1988, the Privacy Act was last updated in October 2023.
The Australian Privacy Act applies to Australian government agencies and private sector organizations with an annual turnover of $3 million or more.
Controls and requirements
The Privacy Act sets out several key principles that organizations must adhere to, including:
- Managing personal information in an open and transparent way
- Collecting only necessary information
- Providing individuals with notice about the collection of their data
- Ensuring the security of personal information
- Allowing individuals to access and correct their information
- Obtaining consent for certain uses of the data
Please refer to the official legislation for a detailed list of controls and requirements.
Audit type, frequency, and duration
The Australian Information Commissioner has powers to conduct privacy assessments of agencies and organizations covered by the Privacy Act, also known as APP entities. A privacy assessment provides a professional, independent and systematic appraisal of how well an agency or organization complies with all or part of its privacy obligations. It typically involves four stages: targeting, planning, fieldwork and reporting.
Both the frequency and duration of these assessments vary.